Hello,
I'm sorry I was too fast with commit. I've just committed
what's been suggested by bluhm@:
@@ -2186,6 +2186,7 @@ It cannot be used with
.Cm modulate state
or
.Cm synproxy state .
+With this option ICMP replies can create states.
.It Ar timeout seconds
Changes the
.Ar timeout
> This is helpful, but because it's so surprising that "pass proto icmp"
> doesn't pass all icmp traffic, I think it would help to mention it where
> "proto icmp" is described too.
>
> Also, the top of the text about "sloppy" just talks about the sloppy
> TCP connection tracker, I think perhaps it would be better to lead
> with something that suggests it has multiple functions for different
> protocols?
I don't object to any of your enhancements.
reads OK sashan
>
> Index: man5/pf.conf.5
> ===================================================================
> RCS file: /cvs/src/share/man/man5/pf.conf.5,v
> retrieving revision 1.594
> diff -u -p -r1.594 pf.conf.5
> --- man5/pf.conf.5 9 May 2022 20:29:23 -0000 1.594
> +++ man5/pf.conf.5 9 May 2022 21:05:48 -0000
> @@ -594,6 +594,13 @@ or
> .Pc
> must match.
> .Pp
> +ICMP responses are not permitted unless they either match an
> +existing request, or unless
> +.Cm no state
> +or
> +.Cm keep state (sloppy)
> +is specified.
> +.Pp
> .It Cm label Ar string
> Adds a label to the rule, which can be used to identify the rule.
> For instance,
> @@ -2177,7 +2184,7 @@ States created by this rule are exported
> .Xr pflow 4
> interface.
> .It Cm sloppy
> -Uses a sloppy TCP connection tracker that does not check sequence
> +For TCP, uses a sloppy connection tracker that does not check sequence
> numbers at all, which makes insertion and ICMP teardown attacks way
> easier.
> This is intended to be used in situations where one does not see all
> @@ -2186,7 +2193,8 @@ It cannot be used with
> .Cm modulate state
> or
> .Cm synproxy state .
> -With this option ICMP replies can create states.
> +For ICMP, this option allows states to be created from replies,
> +not just requests.
> .It Ar timeout seconds
> Changes the
> .Ar timeout
>
